728x90
@Service
public class ProductService {
/**
* @PreAuthorize -> the authorization rules are validated before calling the protected method
* @PostAuthorize -> the method is called, and only then the aspect validates the authorization rules.
*
* @PreFilter -> the method needs to have the parameter of type Collection or array
* -> the aspects intercepts the method call and validated the values inside the collection
*
* @PostFilter -> returned value needs to be a Collection or an array
* -> the aspect applies the authorization rules and returns only the values that comply
*/
// @PreAuthorize("hasAuthority('write')")
@PreAuthorize("#username == authentication.name")
public List<String> findProductsForUser(String username) {
return List.of("beer", "chocolate");
}
}
hasAuthority checks for if Authenticated user have matching GrantedAuthority. just like endpoint configuration lecture
postAuthorize = execute the entire method call. after return the aspect get the returned object and apply authorization rule, and if fail it will send 403 to caller
#username = the value of parameter username
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
/**
* @PreAuthorize
* @PostAutorize
* @PreFilter
* @PostFilter
*
* @Secured --> securedEnabled = true
* @RolesAllowed --> jsr250Enabled = true
*/
public class ProjectConfig extends WebSecurityConfigurerAdapter {in order to use method annotation (by using AOP) , we need to enable prePostEnable to true
728x90
'WEB > Security' 카테고리의 다른 글
| Lesson 33,34 - Integration testing for Spring Security implementations - Part 1,2 (0) | 2022.05.22 |
|---|---|
| Lesson 29 - Using permissions (0) | 2022.05.20 |
| Lesson 26 - Endpoint authorization rules for an OAuth 2 resource server (0) | 2022.05.14 |
| Lesson 24,25 - Authorities, Roles and Matcher methods (mvc,ant) (0) | 2022.05.14 |
| Lesson 23 - Configuring endpoint authorization (0) | 2022.05.13 |